Tennessee Electric Company Inc., d.b.a. TEC Industrial Maintenance & Construction, in July filed a complaint against TriSummit Bank, a $278 million institution based in Tennessee. The complaint alleges the bank is to blame for a series of fraudulent payroll drafts sent from TEC's account in 2012. TEC says the bank failed to have those ACH transactions approved by the utility before they were transmitted.

This is but the latest in a series of high-profile account takeover cases, and experts say it is going to put the onus on the bank to prove it took every possible measure to protect its customer from fraud.

Onus is on the Institution

In the wake of the 2011, FFIEC authentication guidance update, Doug Johnson, senior vice president of risk management policy for the American Bankers Association, says banking regulators have made it clear that it is banking institutions' responsibility to ensure they are providing layers of security to protect their customers' accounts.

And George Tubin, a banking fraud expert at anti-malware provider Trusteer, says even if a commercial customer's account is taken over because of a phishing attack and subsequent malware infection that resulted because of the customer's negligence, the onus is on the banking institution to detect and stop suspicious transactions.

In fact, unless a commercial customer explicitly declines to accept a certain security procedure offered by its bank, as was the case in the Choice Escrow and Land Title LLCaccount takeover incident, banks have struggled to prove their security measures were reasonable if fraud results, he explains.

"Based on the information presented, this case does not have a situation where the customer failed to use a certain security procedure or refused a security procedure," Tubin says. "The fact that the customer was infected by malware, which enabled this fraud, will not be viewed as something the customer did wrong. Anybody can get infected with malware, unless they're utilizing commercial-grade anti-malware software, which is usually only provided via the financial institution."

Julie Conroy, a financial fraud and security analyst at Aite, says TEC has a compelling case, but she sees nothing here that will help banking institutions better understand what constitutes "reasonable security" in the eyes of the courts.

"The confusion and mixed messages that we've received from the courts is around what levels of security qualify as 'commercially reasonable,'" Conroy says. "I don't see anything in this case that would help set a clear precedent in that regard."

TEC's Claims

According to the complaint, on May 10, 2012, 55 separate payroll orders totaling $327,804 were sent by TriSummit Bank to different accounts located throughout the U.S. The bank, however, failed to verify those orders with TEC, the utility claims.

Not only did the funds go to accounts that had not previously been paid by TEC, but the amounts, which ranged from $550 to $11,000, were not customary for the utility, the suit alleges.

TEC says its agreement with the bank also required that the bank call the utility before any payroll transactions were authorized. All of those calls, per the agreement between TEC and TriSummit, should have been recorded.

TEC argues that the 55 separate transactions approved in May 2012 were not authorized via a telephone call.

TEC also alleges it alerted the bank of suspicious activity just days before the fraudulent transactions were approved. On May 8, TEC's controller had trouble accessing the bank's online-banking site. After contacting the bank, the controller was advised to visit the branch and load the payroll files there. The following day, the controller received a phone call from someone feigning to be from the bank, asking that the employee try once more to access the online banking site to see if it was now working properly.

TEC claims its controller mentioned this suspicious phone call to numerous bank employees the next day, May 9, during a separate authorization call. The bank told TEC it would look into the matter, TEC says. Allegedly, just hours before that call is when the bank approved the fraudulent transactions.

TriSummit Bank was able to recover all but $192,656 of the $327,804 lost in fraudulent transactions, the suit states. Now TEC is asking that the bank refund its account for the amount the bank was not able to recover.

Going to Trial?

If the calls between the bank and utility were recorded, then the bank should have a record of the authorization history, says Trusteer's Tubin. He also says that if the claims made by this Tennessee utility are true, the bank would be wise to settle.

In the Experi-Metal Inc. and PATCO Construction Inc. cases, the courts ultimately favored the commercial customers. But an appellate court in June supported a lower court's ruling in the Choice Escrow case that favored the bank (see Bank Wins Account Takeover Loss Case).

The court found that Choice Escrow's refusal to use a dual-person authorization service for wire-transfer approval offered by the bank shielded the bank from liability.

In TEC's case, the bank now must prove its security measures were 'commercially reasonable,' Tubin says.

"Based on the information in the complaint, the bank should have detected this fraud," he says. "A 'commercially reasonable' security approach would have either detected and/or prevented the malware from stealing the user's credentials, and an anomaly detection system would have picked up the double ACH transactions for double the typical weekly amount."

Further, if the bank did not follow through on its voice confirmation of the fraudulent ACH transaction, as alleged, Tubin says, "The bank would clearly be at fault for not adhering to the security practice used every week to confirm the ACH transaction."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.